The very first tip of the day I wrote was Tip 2: Use a Base Security Role. The point of this tip is don’t jam every permission needed by each group into each role–use a common role that includes the minimal permissions needed to log into the application for all users, then create smaller roles for each group with only their unique permissions.
In the past I recommended starting with the salesperson role, pretty much the standard role with the lowest permissions, as the basis for the base role–copy the role and then add the permissions needed by all users.
With the move to the common data service and PowerApps, Microsoft has added a new standard role: Common Data Service User. This role includes permission needed to log into a model-driven app and access the common data service, including user level permissions for accounts, contacts, activities, but no Dynamics 365 restricted entity access and no sales or opportunity entities.
This makes the CDS User Role an ideal role upon which to base your base role. It includes everything users need to access the common data service without including any permissions for sales or customer service entities.